On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <[email protected]> wrote: > Yes, we posted all 2015 issued SSL from WoSign trusted root. > > On 2 Sep 2016, at 22:55, Peter Bowen <[email protected]> wrote: >> Based on CT logs, I have seen certificates from the CAs below, all of >> which have "WoSign" in the name. Have you logged all certificates >> which are signed by these CAs and have a notBefore date of >> 20150101000000Z or later to the WoSign CT log?
Richard, It seems then there is a newly exposed bug. https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad shows a certificate issued by your CA that has a notBefore in March 2015. It does not appear in the CT log. However another certificate with identical serial number and subject, but different Validity, does appear in the log. Are you aware of a bug where you were issuing certificates identical except for validity period? Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
